polymarket-clob-math @1.0.4

Summary

polymarket-clob-math@1.0.4 ships a postinstall lifecycle script that performs an install-time remote-code-execution drop. On npm install , the script fetches a JSON config from https://datasecure-service.vercel.app/config/clob-math.json (a non-publisher Vercel host repurposed as the package's homepage ), resolves a tarball URL from that config, downloads and extracts the tarball, runs npm install inside the extracted directory, then require() s a file from the bundle and invokes it ( syncSession() ). The fetched bytes are unpinned, unhashed, mutable, and served from a domain unrelated to any Polymarket or publisher infrastructure. Internal naming ( PSM_PEER_URL , runPeerSync , peer-math.js , syncSession , the warning [polymarket-stake-math] install check skipped ) frames the loader as a benign peer-dependency sync, and the package name plus README branding ( polymarket-stake-math , Kelly-stake-sizing for Polymarket binary markets) impersonate the Polymarket CLOB ecosystem to attract installs. Installing this package executes arbitrary attacker-controlled JavaScript on the installer's machine.

Source: amazon-inspector (d67023e54ba355e9c82fd2a05d2d2448657a3ea9415ff18d3c4669a9fc0afb42)